Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-11310

The password security is different from one page to another and can be skipped

    Details

    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      This issue concerns security and UI

      I was searching about how to set a regex check on user password in order to increase security in my wiki and found that it can be overrun quite easily.

      At this moment we can set the password of a user in using different ways which all have their own password quality checks :

      1. Registration => XWiki/Registration
      2. Password recovery => XWiki/ResetPasswordComplete
      3. Admin user creation process => XWiki/XWikiPreferences?editor=globaladmin&section=Users#
      4. Password modification by the user himself => XWiki/PROFIL?xpage=passwd

      On a quality POV, some have regex checks, some have no check except that password and retype password fit.

      On a UI POV, some checks does need to reload the page, some doesn't and some display errors in a modal when others directly in the form while writing.

      It would be best to use only one script to check the password quality for all places since at this moment your password can be one letter long and modifying the checks take 4 times the time..

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                surli Simon Urli
                Reporter:
                jcoury Jean Coury
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Date of First Response: